Analysis
-
max time kernel
149s -
max time network
157s -
platform
android_x86 -
resource
android-x86-arm-20240624-en -
resource tags
-
submitted
09-11-2024 22:00
General
-
Target
23163860ee2f9415492006cce2ca696a8f7f8fc9a4c150b3c9b9d906cd333eab.apk
-
Size
4.2MB
-
MD5
7177f9c16a5d9d3da2e23077bb6063dd
-
SHA1
636e400419a43b96d0b24226dde82adf8c5e6b70
-
SHA256
23163860ee2f9415492006cce2ca696a8f7f8fc9a4c150b3c9b9d906cd333eab
-
SHA512
3562e4edcde62bab61a9e8592f44911e475dbb97510f0cff5328dd2319738ac75be2db74261c3a888812bd2dd6cfba9ab784ff948cc751176578c17c94152ad7
-
SSDEEP
98304:kfPMPRWmSmyV7gUd235dbYR26/hgMCHzLYy8LVwdDNipIplD0b:5TUg359YI6OVTFTTnDM
Malware Config
Extracted
hook
http://91.202.233.15
Signatures
-
Hook
Hook is an Android malware that is based on Ermac with RAT capabilities.
-
Hook family
-
Loads dropped Dex/Jar 1 TTPs 3 IoCs
Runs executable file dropped to the device during analysis.
-
Makes use of the framework's Accessibility service 4 TTPs 3 IoCs
Retrieves information displayed on the phone screen using AccessibilityService.
-
Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps) 1 TTPs
-
Queries information about running processes on the device 1 TTPs 1 IoCs
Application may abuse the framework's APIs to collect information about running processes on the device.
-
Queries the phone number (MSISDN for GSM devices) 1 TTPs
-
Acquires the wake lock 1 IoCs
-
Makes use of the framework's foreground persistence service 1 TTPs 1 IoCs
Application may abuse the framework's foreground service to continue running in the foreground.
-
Performs UI accessibility actions on behalf of the user 1 TTPs 5 IoCs
Application may abuse the accessibility service to prevent their removal.
-
Queries information about the current Wi-Fi connection 1 TTPs 1 IoCs
Application may abuse the framework's APIs to collect information about the current Wi-Fi connection.
-
Queries the mobile country code (MCC) 1 TTPs 1 IoCs
-
Reads information about phone network operator. 1 TTPs
-
Requests accessing notifications (often used to intercept notifications before users become aware). 1 TTPs 1 IoCs
-
Registers a broadcast receiver at runtime (usually for listening for system events) 1 TTPs 1 IoCs
-
Schedules tasks to execute at a specified time 1 TTPs 1 IoCs
Application may abuse the framework's APIs to perform task scheduling for initial or recurring execution of malicious code.
-
Uses Crypto APIs (Might try to encrypt user data) 1 TTPs 1 IoCs
-
Checks CPU information 2 TTPs 1 IoCs
-
Checks memory information 2 TTPs 1 IoCs
Processes
-
com.orusfeeqs.qeqbzstsn1⤵
- Loads dropped Dex/Jar
- Makes use of the framework's Accessibility service
- Queries information about running processes on the device
- Acquires the wake lock
- Makes use of the framework's foreground persistence service
- Performs UI accessibility actions on behalf of the user
- Queries information about the current Wi-Fi connection
- Queries the mobile country code (MCC)
- Requests accessing notifications (often used to intercept notifications before users become aware).
- Registers a broadcast receiver at runtime (usually for listening for system events)
- Schedules tasks to execute at a specified time
- Uses Crypto APIs (Might try to encrypt user data)
- Checks CPU information
- Checks memory information
-
/system/bin/dex2oat --instruction-set=x86 --instruction-set-features=ssse3,-sse4.1,-sse4.2,-avx,-avx2,-popcnt --runtime-arg -Xhidden-api-checks --runtime-arg -Xrelocate --boot-image=/system/framework/boot.art --runtime-arg -Xms64m --runtime-arg -Xmx512m --instruction-set-variant=x86 --instruction-set-features=default --inline-max-code-units=0 --compact-dex-level=none --dex-file=/data/user/0/com.orusfeeqs.qeqbzstsn/app_dex/classes.dex --output-vdex-fd=41 --oat-fd=42 --oat-location=/data/user/0/com.orusfeeqs.qeqbzstsn/app_dex/oat/x86/classes.odex --compiler-filter=quicken --class-loader-context=&2⤵
- Loads dropped Dex/Jar
-
Network
MITRE ATT&CK Mobile v15
Persistence
Event Triggered Execution
1Broadcast Receivers
1Foreground Persistence
1Scheduled Task/Job
1Defense Evasion
Download New Code at Runtime
1Foreground Persistence
1Impair Defenses
1Prevent Application Removal
1Input Injection
1Virtualization/Sandbox Evasion
2System Checks
2Credential Access
Access Notifications
1Input Capture
2GUI Input Capture
1Keylogging
1Discovery
Process Discovery
1Software Discovery
1Security Software Discovery
1System Information Discovery
2System Network Configuration Discovery
3System Network Connections Discovery
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
2.9MB
MD593972e2debe931c8e2e45a4de13ea0da
SHA1bcd8f440911dddd22b416ea441c44dd0291144a7
SHA2563e5d44cd7903e57a4690cdb6b13fddbfda9317f6063cad5c347b0f873d5ccca4
SHA5122533a5538b831fdf445aec436ff0c8e79ea68b44a439d442cd495afe3322c30f09790f67bfdeed681f2b33c3f1f36e9b20fa5d990b307b4b2c826c745b87ecf6
-
Filesize
1.0MB
MD5be487010f073bfbe69cbdb6751703e36
SHA1b02c50261f0dd7f8f1c0dcb3563c8b84ed59c338
SHA256476744d81ee0971ab819a713e8e83e5281d702f565bbd0de17517f7f5a887f96
SHA512b04d070dc3d04f606a2f2c89c8faa759217f1400f16b1fe9f502cca91e1d72ad3c842d58238332fa42c409293cb218163ce10c342fd781738fc3be0c124cba85
-
Filesize
1.0MB
MD5b314f33af741db0ae05135b8dd16e177
SHA1b4669b808dde191f7e63a33e1b69870a46bbd677
SHA25639b85c62705eb31aeb1ddd4ddb7dd3db702f14bb7d114ca5ee94744c2b9b4e99
SHA51229c29218ec5dc5757c9b84c95b353c2546dcebab049c71cd0d833f89c5a58f836563f8143a58eb086fab9e2fdbd9dfca4e86159348cc7c885e4637d490cd8e0d
-
Filesize
4KB
MD5f2b4b0190b9f384ca885f0c8c9b14700
SHA1934ff2646757b5b6e7f20f6a0aa76c7f995d9361
SHA2560a8ffb6b327963558716e87db8946016d143e39f895fa1b43e95ba7032ce2514
SHA512ec12685fc0d60526eed4d38820aad95611f3e93ae372be5a57142d8e8a1ba17e6e5dfe381a4e1365dddc0b363c9c40daaffdc1245bd515fddac69bf1abacd7f1
-
Filesize
512B
MD56a834458eecc0b0dff4604b57612d567
SHA1c9058d0eb6452235a4578966eb9c80aa7b96150e
SHA25659301ccfe03464847d417b0dabb3bc5c79c8b2805f9229e50ed1548c3ece093e
SHA51203815960e52937729a5e9c6de3d82ed0251a3b3990676795442b6bd23bd5e083ce346f258357f6ac1f7300a8570b942c49122b50d0c0c3de97f3362dfb291874
-
Filesize
32KB
MD5bb7df04e1b0a2570657527a7e108ae23
SHA15188431849b4613152fd7bdba6a3ff0a4fd6424b
SHA256c35020473aed1b4642cd726cad727b63fff2824ad68cedd7ffb73c7cbd890479
SHA512768007e06b0cd9e62d50f458b9435c6dda0a6d272f0b15550f97c478394b743331c3a9c9236e09ab5b9cb3b423b2320a5d66eb3c7068db9ea37891ca40e47012
-
Filesize
108KB
MD5f4915d2e9dcadb135d054df8349ec60c
SHA135c72112fa960663a521d86034419a7b32427ac4
SHA2563364b7225ce964712b77cacdea9fb5a3731ef9bfcbc023edbbab8b6b49b4b69e
SHA512eef340d323d36ff4d1de3d7426e6bd4c1e3796819b0ce300b7e6dba9528b422fafb4efc6d45fcecd7f9d3de65ae58ae2c168bdf878e3e472bf44ba21c69f6771
-
Filesize
173KB
MD5d5ff7f8306240169b1a09afe51858ceb
SHA108bbe681be26d61c89a17d8348ec1aaf33e2e03a
SHA256baf42a86b30c8d8e4d3c19240b24e35bab73c1a2488c3d76ff9d2c2bbf92a282
SHA5125740fe9f1671045619d66734aea83d55ac16ee9af8d0a58af6722b253cc96193141116709a6560123a430f2199a94d267651c009abf228064c76213e9a6f7685
-
Filesize
16KB
MD5cb6ef4cb04b0abd008c1cd454251558f
SHA1814ce138164d85c22154f1121384bcab000c6917
SHA2562304e03f8a122c4bdef8b2b7192b5315eb295e271f378ce0c8caf1414713261c
SHA5125b709cf250c93be40a080bbaf47d29f9db430fb2ec30f1c7c3b20a2f0af5e079b6895da1d0138cf40a43d9d76fc8a708751f97296d8ef8c2087ac70267db0c04
-
Filesize
2.9MB
MD5a11dfd13efa366331a0f11a8e9c32239
SHA1439d757281dc4e555f116ac3cd1f0144c8f4c6bf
SHA256729318b4c551dab62ed0ea6875885d7267b1e18a7fe3536ff0f2eba56b7ee0b7
SHA5127fd8ad586bce247b32a6e98311d60c26a3aca42c31966f8462881dcdc5fed7693323673d7009024518b05564d9e97ec44e77bd4dcd0dcd3909de1b5b0c3664e4